BYOD Enhances Security

Conversations with end customer organizations over the past few weeks have necessitated a little clarification.

What I said was, “In many ways, BYOD [Bring Your Own Device] is safer” than traditional desktops with traditional application distribution methods.

Here’s the explanation.

In a traditional world, the users connect to servers and compute resources over campus site or branch site networks. All well and fine. Even in a traditional implementation of VDI–or another term as of late, End User Virtualization (EUV)–users connect to virtual desktops and applications over their networks, which then connect to servers and other compute resources over data center switches.

Consider the following diagram as a typical example.

In this example, external users connect through the Internet, through the corporate firewall, and through the NetScaler (perhaps with Global Service Load Balancing (GSLB) enabled to allow for an active-active Load Balance / Disaster Recovery scenario), and then hit the internal load balancer, which balances them to one of the Web Interface services for that site, which then delivers available published desktops and applications. This is a great scenario an organization that also has a well-managed desktop–or well-managed thin devices–both of which can provide a great user experience.

Beautiful. Until BYOD comes in. Now you have the understandably-concerning security risk of external, non-company-owned devices running around on the internal network with who-knows-what mal-ware protection, or what–if any–security disciplines included.

The users in this case are diametrically opposed. In the traditional sense, functionality is in opposition to security. BYOD is no different. However, properly implemented, BYOD can be an opportunity to think about the users (and their devices) differently.

What if we just move the whole experience to the inside? In other words, the only function the user device has at this point is an end device for published desktops and applications. That being the case, it is a much more compelling discussion to segment the user devices from the internal trusted network altogether.

So, make all users external, no matter where they’re coming from. Even if they’re coming from branch sites, or campus sites. Treat them all as external, corporate-owned or otherwise. This changes the dynamic a little. If you’ve already embraced the BYOD concept, and are now providing stipend to users rather than equipment, then the transition is much easier. If you’re still managing some of the end devices, then the conversation shifts from how to allow application services to the end device to providing device managed services to the device

Consider this diagram as an example of how users can all be treated as external.

In this scenario, users come through the firewall no matter where they are: Branch sites, campus sites, or through the Internet from anywhere.

Consider the benefits vs. a traditional implementation.

Virtually any device can be chosen by the user–based on the user’s preferred work habits

Security needs are covered on the inside of the trusted network

Attack surface is greatly reduced, down to a single entry point over SSL

In the end, the users have a very similar experience to what they’re used to, using existing line-of-business and productivity applications, and with the added benefits of centralized management and the freedom to choose their own work experience.

One thing about it, all organizations need to embrace the wave and take an approach. Putting user devices outside the trusted network can enhance security while still allowing users all the resources they need to be productive and happy.

It’s funny that some of the most powerful products that Microsoft produces...

VDI: The Promise and the Distant Dream

In the quest for centralization, security, control, ease-of-use, and user enablement, some of the best--and worst--implementations can be qualified by the perceived performance from the users' perspective. There is no greater importance than to deliver the applications to the users that enable them to do what they do--to be as productive and efficient as possible. Not much else matters coming out of the data center. As important as other things are; such as backup, anti-virus, redundancy, disaster planning, recovery, and even security; all are for not if the users cannot produce.

VDI is an enabling set of technologies. VDI has been around, in one form or another, since the early 1990s, developed from Terminal Services, Remote Desktop Services, application publishing, and virtual machine hosting. All of these have culminated into a set of well thought-out services that can be implemented and delivered in various ways. Many have witnessed the failure of VDI in their organizations--much of that because of forgotten components, erroneous architecture, and a steep learning curve. Contrarily, there have been outstanding and extremely successful implementations by those who thought of the core components that will make or break the solution, such as storage, profile management, image management, self-service, and simplifying the user experience from end to end. In many instances--indeed, in most instances--where VDI is new to an organization, finding the right partner--one who has been around the block before--is critical to an implementation's success.

One thing is clear: Running into a VDI implementation without first considering all of the components is a recipe for disaster. And finding the right experienced partner is key.